Using Forms Authentication in ASP.NET, Part 3

In Part 2 we looked at configuring forms authentication, protecting
certain areas of a Web site through the authorization tag in Web.config, and how
to implement forms authentication for a scenario where user credentials were stored in a database table.
In this part, we'll look at how these credentials can be stored in Web.config; also, we'll wrap
up this article by discussing some various helpful tips when using forms authentication in ASP.NET.

Specifying User Credentials in Web.config
ASP.NET also allows you to define your login credentials in the Web.config file and Authenticate
against them using the Authenticate() method of the FormsAuthentication provider.
To demonstrate this we will first set up a set of credentials in the config file like so:

Although ASP.NET applications can be secured using credentials stored in the Web.config file,
you would obviously only use this method for a site where you had a relatively small number of users.
For larger sites it makes sense to keep authentication credentials stored in a database and use the
Custom validation method to validate unauthenticated incoming requests.

The Authentication Cookie
By default the RedirectFromLoginPage method issues a temporary cookie that expires when the
browser is closed. This cookie can be made to persist for 50 years by passing True as the second
argument of this method.

To demonstrate how a developer would implement this, let's imagine that we have a Checkbox on our
login form with the ID of chkPersistCookie. This checkbox could be used to allow the user
to optionally persist the cookie across multiple visits to the site, thus saving them from having
to login each time they visit. We could easily persist the cookie by simply passing in the value of
chkPersistCookie as the second parameter to RedirectFromLoginPage(), like so:

As you can see, if the Checkbox is checked then True will be passed and the Cookie will be
stored on the users machine, otherwise False will be passed and the Cookie will be issued as
a Session Cookie and expire when the user closes his/her browser.

Creating a Cookie with a custom Expiry Date
Alternatively you can create a cookie that's issued and has a custom lifetime instead of 50 years.
The key is to replace the call to RedirectFromLoginPage method with the your own
implementation, like so:

Here we have created a new authentication cookie, explicitly set its expiration date,
added the cookie to the Cookies collection of the current HttpResponse instance, and finally
we redirect the user to the page that they had requested.

Determining the Username of the Logged-On User
There are oftentimes when an authenticated user visits a page that you'd like to be able to determine who,
exactly, the authenticated user is. For example, if you were creating content customized to the user, you'd
most certainly be interested in the username of the user visiting your page. ASP.NET makes it easy to
determine this information. All you have to do is read the User.Identity.Name property. If, on
an ASP.NET Web page, you output this property and the visitor is an unauthenticated user, an empty
string will be returned and displayed. If, however, the user has been authenticated, then the property will
return the unique username you specified in the first parameter of the RedirectFromLoginPage()
method.

Summary
Hopefully you can see that the Forms Authentication Provider though it's Static methods has
greatly simplified the amount of code that needs to be written for menial and repetitive tasks such as
Checking for Authentication, Creating a Cookie and Re-Directing after authentication.